TrueNAS.com Software Systems Company Community Security iX Portal Download
F-Series
F-Series

All-Flash NVMe Performance.

 H-Series
H-Series

Big business performance. Entry level pricing.

 Mini Series
Mini Series

Home Labs, Small Office & SMB Applications.
M-Series
M-Series

All-Flash or Hybrid Enterprise Performance.

 R-Series
R-Series

Single Controller Storage Appliances.
TrueNAS Enterprise Icon
TrueNAS Enterprise

Mission Critical Storage. 24×7 Enterprise Support.
TrueCommand Icon
TrueCommand

Manage Your TrueNAS Fleet All From One Place.

Use Cases

Analytics Backup & Archival Cloud Data Mobility File Sharing
iX-Storj Media & Entertainment Surveillance Veeam Backup Virtualization

Industry

Audio Broadcasting Gaming Healthcare Manufacturing Media & Entertainment
Automotive Education Government MSP Research & AI

Support

Enterprise Support

For customers with active support contracts.
Community Support

For peer-to-peer, open-source support.

Resources

Case Studies Documentation Apps TrueNAS Security FAQ ZFS Overview
TrueNAS Blog Solution Guides Datasheets Software Status Videos TrueCommand Cloud
TrueNAS Community Edition Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
About TrueNAS Awards Careers Contact Us Our Clients Reviews
Contact Icon
Contact an Enterprise Specialist

Speak with an enterprise storage specialist to find the right solutions for your business needs.

 TrueNAS Enterprise Icon
TrueNAS Enterprise

Enterprise-grade storage appliances designed for business and mission-critical environments.

 TrueNAS Community Edition Icon
Download TrueNAS Community Edition

Test Drive TrueNAS in Your Environment.
  1. TrueNAS Security Advisories
  2. /
  3. TrueNAS | Enterprise Security Responses

TrueNAS | Enterprise Security Responses

Component Description Security Reference Severity Security Risk Impacted Version Resolved Version More Info Additional Info
openssh A critical security vulnerability has been discovered in OpenSSH implementations on FreeBSD systems, potentially allowing attackers to execute remote code without authentication. The vulnerability, identified as CVE-2024-7589, affects all supported versions of FreeBSD. CVE-2024-7589 High None CORE-13.0-U5.3 N/A False Positive Link The OpenSSH in TrueNAS is not built with the vulnerable feature enabled. TrueNAS is not vulnerable to this issue.
openssh A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. CVE-2024-6387 High High CORE-13.0-U5.3 CORE-13.0-U6.2 Link
py39-configobj-5.0.6_1 All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. CVE-2023-26112 Medium Low CORE-13.0-U5.3 Not yet resolved Link Only exploitable by privlidged local user who already has full access to the system.
git-lite-2.34.1 Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. CVE-2022-39260 High Low CORE-13.0-U5.3 Not yet resolved Link Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue
git-lite-2.34.1 Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. CVE-2022-39253 Medium Low CORE-13.0-U5.3 Not yet resolved Link Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue
git Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 High Low CORE-13.0-U5.3 Not yet resolved Link Git is not exposed to TrueNAS users in a manner which makes this exploitable.
git Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 High Low CORE-13.0-U5.3 Not yet resolved Link Git is not exposed to TrueNAS users in a manner which makes this exploitable.
py39-beaker-1.11.0 is vulnerable The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. CVE-2013-7489 Medium Low CORE-13.0-U5.3 Not yet resolved Link Only exploitable by privlidged local user who already has full access to the system.
minio-2021.12.27.07.23.18_1 MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. CVE-2022-24842 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
minio-2021.12.27.07.23.18_1 MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. CVE-2023-28432 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
minio-2021.12.27.07.23.18_1 Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off` CVE-2023-28434 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
libxml2-2.9.12 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). CVE-2023-29469 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
libxml2-2.9.12 In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. CVE-2023-28484 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
squashfs-tools-4.3_1 Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. CVE-2015-4645 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
pixman-0.40.0_1 In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. CVE-2022-44638 High Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-sentry-sdk-1.4.3 Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. CVE-2023-28117 Medium False Positive CORE-13.0-U5.3 Not yet resolved Link TrueNAS does not use Sentry SDK with Django so this doesn’t apply.
py39-cryptography-3.3.2 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. CVE-2023-0286 High Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-cryptography-3.3.2 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. CVE-2023-23931 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-setuptools-57.0.0 Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE-2022-40897 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
TrueNAS middleware A vulnerability involving python deserialization, CVE-2020-22083, was found. CVE-2020-22083 Medium Medium CORE-13.0-U6.2 CORE-13.0-U6.3 Link TrueNAS assessment: exploitable by a local user
TrueNAS iocage A vulnerability involving iocage updates was found. CVE-2020-22083 High High CORE-13.0-U6.2 partial fix in CORE-13.0-U6.3 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
TrueNAS middleware A vulnerability involving python deserialization, CVE-2020-22083, was found. NAS-132268 Medium Medium CORE-13.3 CORE-13.3-U1 Link TrueNAS assessment: exploitable by a local user
TrueNAS middleware A vulnerability involving iocage updates was found. CVE-2024-11944 High High CORE-13.3 CORE-13.3-U1 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
TrueNAS iocage A vulnerability involving iocage updates was found. CVE-2024-11946 High High CORE-13.3 partial fix in CORE-13.3-U1 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
rsync-3.2.7 Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12084 High High CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Information leak via uninitialized stack contents CVE-2024-12085 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Rsync server leaks arbitrary client files CVE-2024-12086 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Path traversal vulnerability in Rsync CVE-2024-12087 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 --safe-links option bypass leads to path traversal CVE-2024-12088 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Race condition in Rsync when handling symbolic links CVE-2024-12747 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12084 High High CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Information leak via uninitialized stack contents CVE-2024-12085 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Rsync server leaks arbitrary client files CVE-2024-12086 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Path traversal vulnerability in Rsync CVE-2024-12087 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 --safe-links option bypass leads to path traversal CVE-2024-12088 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Race condition in Rsync when handling symbolic links CVE-2024-12747 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
openssh A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. CVE-2024-6387 High High SCALE 24.04.0 SCALE 24.04.2 Link
github.com/bits-and-blooms/bloom/v3 (v3.0.1) Uncontrolled Search Path Element in GitHub repository bits-and-blooms/bloom prior to 3.3.1. CVE-2023-0247 High Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/containerd/containerd (1.6.6 & 1.5.7) containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2023-25153 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.6.6 1.5.7) containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. CVE-2023-25173 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.6.6 1.5.7) containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. CVE-2022-23471 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. CVE-2022-23648 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. CVE-2022-31030 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. CVE-2021-41190 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. CVE-2021-43816 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/minio/console (0.12.5) Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. CVE-2023-33955 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
k8s.io/apiserver (v0.22.5 & v0.24.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
github.com/coredns/coredns (1.4.0) A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of <service>.<namespace>.svc. CVE-2022-2835 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/coredns/coredns (1.4.0) A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. CVE-2022-2837 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/opencontainers/image-spec (1.0.1) The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. CVE-2021-41190 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. CVE-2023-25809 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. CVE-2023-27561 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. CVE-2023-28642 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.0.2) runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. CVE-2022-29162 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.0.2) runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. CVE-2021-43784 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/prometheus/client_golang (v1.10.0 & v1.11.0 & v1.7.1) client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. CVE-2022-21698 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/rancher/wrangler (v1.0.0) A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. CVE-2022-31249 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/rancher/wrangler (v1.0.0) A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. CVE-2022-43756 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/text (v0.3.6 & v0.3.7) An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. CVE-2022-32149 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/text (v0.3.6) golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. CVE-2021-38561 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
go.mongodb.org/mongo-driver (v1.4.6) Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVE-2021-20329 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
busybox (1:1.30.1-6+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
busybox (1:1.30.1-6+b3) Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
git (1:2.39.2-1~bpo11+1) Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
gnupg (2.2.27-2+deb11u2) GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. CVE-2022-3219 Low Low 22.12.4 Cobia 23.10-BETA.1 Link IXassessment : low risk and no fix expected from upstream
gnupg (2.2.27-2+deb11u2) A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. CVE-2022-3515 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
helm (3.9.4-1) Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. CVE-2023-25165 Medium Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. CVE-2022-23524 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. CVE-2022-23525 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. CVE-2022-23526 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
openssl (1.1.1t-001+deb11u4) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. CVE-2023-2650 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
perl (5.32.1-4+deb11u2) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
rsyslog (8.2102.0-2+deb11u1) rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron. CVE-2015-3243 Medium Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
busybox (1:1.30.1-6+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1~bpo11+1) HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. CVE-2023-40225 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
perl (5.32.1-4+deb11u2) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. CVE-2023-4807 High False Positive 22.12.4 N/A - False Positive Link Only applicable to Windows operating systems - False positive
samba (2:4.17.11+ix-1) smbd allows client access to unix domain sockets on the file system. CVE-2023-3931 Medium Critical 22.12.4 22.12.4.1 Link Exploitable, action recommended: upgrade to 22.12.4.1
samba (2:4.17.11+ix-1) Samba AD DC password exposure to privileged users and RODCs CVE-2023-4154 High Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) SMB clients can truncate files with read-only permissions CVE-2023-4091 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) "rpcecho" development server allows Denial of Service via sleep() call on AD DC CVE-2023-42669 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) Samba AD DC Busy RPC multiple listener DoS CVE-2023-42670 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
k8s.io/apiserver (v0.27.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low SCALE 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low SCALE 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
google.golang.org/grpc (v1.40.0) When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. CVE-2023-32731 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Medium False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
github.com/rclone/rclone (v1.63.0) n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 High False Positive SCALE 23.10.0 N/A False Positive Link TrueNAS SCALE does not support cloud to cloud sync, not exposed
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 Critical False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 Critical False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Medium False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 High False Positive SCALE 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low SCALE 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-40225 High Low SCALE 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3817 Medium Low SCALE 23.10.0 SCALE 23.10.1 Link TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low SCALE 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low SCALE 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. CVE-2023-4807 High False Positive SCALE 23.10.0 N/A False Positive Link Only applicable to windows operating systems - False positive
k8s.io/apiserver (v0.27.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low SCALE 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low SCALE 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High Low SCALE 23.10.1 Not yet resolved Link TrueNAS assessment: minor issue, no advisory.
google.golang.org/grpc (v1.40.0) When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. CVE-2023-32731 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.28 & v1.28.1) Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Medium False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
github.com/rclone/rclone (v1.63.0) n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 High False Positive SCALE 23.10.1 N/A False Positive Link TrueNAS SCALE does not support cloud to cloud sync, not exposed
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 Critical False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 Critical False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Medium False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 High False Positive SCALE 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low SCALE 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-40225 High Low SCALE 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. CVE-2023-45539 High False Positive SCALE 23.10.1 N/A False Positive Link TrueNAS assessment: system not affected, We have control over the rules that used in matches for HAProxy, and this CVE is only a problem if the rules are intended to match based on the suffix: haproxy: //github BUG/MINOR: h1: do not accept '#' as part of the URI component reported
perl (5.36.0-7) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low SCALE 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low SCALE 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-41700 High Low SCALE 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.12-) Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium Low SCALE 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 High False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 High False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Low False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 Medium False Positive SCALE 23.10.2 Link
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive SCALE 23.10.2 Link
file 1:5.44-3 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. CVE-2007-1536 High False Positive SCALE 23.10.2 Link
git 1:2.39.2-1.1 The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. CVE-2022-25648 High False Positive SCALE 23.10.2 Link
git 1:2.39.2-1.1 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 Medium False Positive SCALE 23.10.2 Link
github.com/go-git/go-git/v5 v5.9.0 A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49568 High False Positive SCALE 23.10.2 Link
github.com/go-git/go-git/v5 v5.9.0 A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49569 Critical False Positive SCALE 23.10.2 Link
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium SCALE 23.10.2 Dragonfish 24.10 Link Vulnerability is not exposed from base product. Exposure comes from installing a malicious app. Use care when choosing apps.
github.com/rclone/rclone v1.63.0 In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 Medium Low SCALE 23.10.2 Not yet resolved Link
golang.org/x/crypto v0.13.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive SCALE 23.10.2 Link
golang.org/x/crypto v0.5.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive SCALE 23.10.2 Link
golang.org/x/crypto v0.7.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.10.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.10.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.15.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low SCALE 23.10.2 Not yet resolved Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive SCALE 23.10.2 Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive SCALE 23.10.2 Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.1 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.28.1 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 23.10.2 Link
haproxy 2.6.12-1 An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-0056 Medium False Positive SCALE 23.10.2 Link
haproxy 2.6.12-1 HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. CVE-2016-2102 Medium False Positive SCALE 23.10.2 Link
haproxy 2.6.12-1 HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. CVE-2023-40225 High False Positive SCALE 23.10.2 Link
haproxy 2.6.12-1 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. CVE-2023-45539 High False Positive SCALE 23.10.2 Link
k8s.io/apiserver v0.27.2 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium False Positive SCALE 23.10.2 Link
keepalived 1:2.2.7-1+b2 In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property CVE-2021-44225 Medium False Positive SCALE 23.10.2 Link
keepalived 1:2.2.7-1+b2 keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. CVE-2018-19115 High False Positive SCALE 23.10.2 Link keepalived not used in proxy mode.
openssl 3.0.11-1~deb12u3 Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. CVE-2023-5363 High False Positive SCALE 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium False Positive SCALE 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Medium False Positive SCALE 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. CVE-2023-6129 Medium False Positive SCALE 23.10.2 Link
perl 5.36.0-7 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High False Positive SCALE 23.10.2 Link
perl 5.36.0-7 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive SCALE 23.10.2 Link
perl 5.36.0-7 In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-47100 Critical False Positive SCALE 23.10.2 Link Perl not used with this regular expression.
busybox 1:1.35.0-4+b3 The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Low False Positive SCALE 24.04.0 Link busybox not used for add_probe internally.
busybox 1:1.35.0-4+b3 util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive SCALE 24.04.0 Link We don't use busybox for creating directories.
busybox 1:1.35.0-4+b3 The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive SCALE 24.04.0 Link busybox DHCP not used.
busybox 1:1.35.0-4+b3 Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 Medium False Positive SCALE 24.04.0 Link We don't use busybox for tar.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive SCALE 24.04.0 Link We don't use busybox's ash.
file 1:5.44-3 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. CVE-2007-1536 High False Positive SCALE 24.04.0 Link We don't use file internally.
git 1:2.39.2-1.1 The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. CVE-2022-25648 High False Positive SCALE 24.04.0 Link We don't use git fetch.
git 1:2.39.2-1.1 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 Medium False Positive SCALE 24.04.0 Link We don't use git with credential helpers as part of base system.
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 24.04.0 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 24.04.0 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
google.golang.org/protobuf v1.31.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive SCALE 24.04.0 Link
google.golang.org/protobuf v1.31.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive SCALE 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
keepalived 1:2.2.7-1+b2 In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property CVE-2021-44225 Medium False Positive SCALE 24.04.0 Link
keepalived 1:2.2.7-1+b2 keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. CVE-2018-19115 High False Positive SCALE 24.04.0 Link iX Analysis: We don't use keepalived in proxy mode, so this issue is irrelevant.
openssl 3.0.11-1~deb12u3 Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. CVE-2023-5363 High False Positive SCALE 24.04.0 Link Changing IV size is not present in current codebase.
openssl 3.0.11-1~deb12u3 Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium False Positive SCALE 24.04.0 Link Openssl not used this way.
openssl 3.0.11-1~deb12u3 Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. CVE-2023-6129 Medium False Positive SCALE 24.04.0 Link System not PowerPC based.
perl 5.36.0-7+deb12u1 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High False Positive SCALE 24.04.0 Link HTTP::Tiny not used this way in codebase.
perl 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive SCALE 24.04.0 Link CPAN not used internally.
perl 5.36.0-7+deb12u1 In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-47100 Critical False Positive SCALE 24.04.0 Link We don't use vulnerable regexp in perl.
github.com/go-git/go-git/v5 v5.9.0 A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49568 High False Positive SCALE 24.04.0 Link artifact
github.com/go-git/go-git/v5 v5.9.0 A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49569 Critical False Positive SCALE 24.04.0 Link
github.com/rclone/rclone v1.63.0 In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 Medium False Positive SCALE 24.04.0 Link Opened NAS-127131
golang.org/x/crypto v0.13.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive SCALE 24.04.0 Link We do not use Go-based ssh internally.
golang.org/x/crypto v0.7.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive SCALE 24.04.0 Link We do not use Go-based ssh internally.
golang.org/x/net v0.10.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.10.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 24.04.0 Link We don't generate HTML from this package.
golang.org/x/net v0.15.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 24.04.0 Link We don't generate HTML from this package.
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive SCALE 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive SCALE 24.04.0 Link We don't generate HTML from this package.
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive SCALE 24.04.0 Link gRPC only used internally.
k8s.io/apiserver v0.29.0 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium False Positive SCALE 24.04.0 Link Not used.
github.com/mholt/archiver/v3 v3.5.1 A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. CVE-2024-0406 Unknown False Positive SCALE 24.04.0 Link archiver not used to unpack arbitrary files.
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 Medium False Positive SCALE 24.04.0 Link We don't use busybox for netstat.
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 Medium False Positive SCALE 24.04.0 Link We don't use busybox DHCP
busybox 1:1.35.0-4+b3 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 Medium False Positive SCALE 24.04.0 Link We don't use busybox wget
busybox 1:1.35.0-4+b3 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 High False Positive SCALE 24.04.0 Link We don't use busybox's wget
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 Medium False Positive SCALE 24.04.0 Link We don't use busybox dhcp
busybox 1:1.35.0-4+b3 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 Medium False Positive SCALE 24.04.0 Link We don't use busybox shell.
busybox 1:1.35.0-4+b3 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 Medium False Positive SCALE 24.04.0 Link We don't use busybox DHCP.
busybox 1:1.35.0-4+b3 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 High False Positive SCALE 24.04.0 Link We don't use busybox DHCP
busybox 1:1.35.0-4+b3 The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive SCALE 24.04.0 Link We don't use busybox NTP
busybox 1:1.35.0-4+b3 huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive SCALE 24.04.0 Link busybox not used for unzip.
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium SCALE 24.04.2 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium SCALE 24.04.0 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
github.com/opencontainers/runc v1.1.6 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium SCALE 24.04.0 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
openssl 3.0.11-1~deb12u3 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Medium False Positive SCALE 24.04.0 Link We don't process arbitrary PKCS11 files.
google.golang.org/protobuf v1.31.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive SCALE 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
google.golang.org/protobuf v1.28.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive SCALE 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
google.golang.org/protobuf v1.30.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive SCALE 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. CVE-2022-36648 Critical False Positive SCALE 24.10.0 Link QEMU guests are outside of security scope. Never run untrusted VMs or applications on your TrueNAS.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive SCALE 24.10.0 Link TrueNAS does not make use of busybox in a way that can be reached by this exploit.
zlib1g 1:1.2.13.dfsg-1 MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. CVE-2023-45853 Critical False Positive SCALE 24.10.0 Link TrueNAS doesn't use MiniZip in an exploitable way.
stdlib go1.21.6 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Critical False Positive SCALE 24.10.0 Link TrueNAS doesn't use Go's stdlib for IPv6 IP address checks.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32002 Critical False Positive SCALE 24.10.0 Link TrueNAS doesn't use git internally in an exploitable way for this vulnerability.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Critical False Positive SCALE 24.10.0 Link TrueNAS isn't acting as a kerberos server.
libarchive13 3.6.2-1+deb12u1 Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c. CVE-2024-37407 Critical False Positive SCALE 24.10.0 Link libarchive is not used on untrusted files.
wget 1.21.3-1+b2 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 Critical False Positive SCALE 24.10.0 Link wget is not used on untrusted URLs.
keepalived 1:2.2.7-1+b2 In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived through 2.3.1, an integer overflow can occur. NOTE: this CVE Record might not be worthwhile because an empty ipset name must be configured by the user. CVE-2024-41184 Critical False Positive SCALE 24.10.0 Link TrueNAS is not configured in mode needed for this exploit.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Critical False Positive SCALE 24.10.0 Link Not a 32-bit platform.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Critical False Positive SCALE 24.10.0 Link Not a 32-bit platform.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 Critical False Positive SCALE 24.10.0 Link TrueNAS doesn't use NPN. FIPS is not affected.
libnss3 2:3.87.1-1 A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. CVE-2024-6602 Critical False Positive SCALE 24.10.0 Link Firefox and Thunderbird not present.
gitpython 3.1.30 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments GHSA-pr76-5cm5-w9cj Critical False Positive SCALE 24.10.0 Link TrueNAS doesn't use GitPython with untrusted git repos.
github.com/docker/docker v27.0.3+incompatible Authz zero length regression GHSA-v23v-6jw2-98fq Critical False Positive SCALE 24.10.0 Link Do not run untrusted applications on your TrueNAS system.
python3-dnspython 2.3.0-1 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." CVE-2008-1447 High False Positive SCALE 24.10.0 Link TrueNAS does not use dnspython for resolution.
libopenjp2-7 2.5.0-2 A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. CVE-2021-3575 High False Positive SCALE 24.10.0 Link TrueNAS does not use libopenjp for processing untrusted images.
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High False Positive SCALE 24.10.0 Link TrueNAS does not use BusyBox to run netstat.
firmware-amd-graphics 20240709-2~bpo12+1 Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-38076 High False Positive SCALE 24.10.0 Link WiFi firmware not used in TrueNAS.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVE-2022-3872 High False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
libgfapi0 10.3-5 In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. CVE-2022-48340 High False Positive SCALE 24.10.0 Link Gluster FS not used internally.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. CVE-2023-1386 High False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
libharfbuzz0b 6.0.0+dfsg-3 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 High False Positive SCALE 24.10.0 Link TrueNAS is not using harfbuzz to display attacker chosen strings.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 High False Positive SCALE 24.10.0 Link TrueNAS doesn't run git apply internally.
vim-common 2:9.0.1378-2 Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 High False Positive SCALE 24.10.0 Link
dnsmasq-base 2.89-1 An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. CVE-2023-28450 High False Positive SCALE 24.10.0 Link dnsmasq is not used in a vulnerable way.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 High False Positive SCALE 24.10.0 Link TrueNAS does not use git on untrusted repos.
python3-dnspython 2.3.0-1 eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. CVE-2023-29483 High False Positive SCALE 24.10.0 Link TrueNAS does not use dnspython for arbitrary DNS resolution
libldap-2.5-0 2.5.13+dfsg-5 A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 High Low SCALE 24.10.0 Link iX considers risk to be low. There are no known exploits of this null pointer bug.
dmidecode 3.4-1 Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. CVE-2023-30630 High False Positive SCALE 24.10.0 Link dmidecode is not used in a vulnerable way.
amd64-microcode 3.20230808.1.1~deb12u1 Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. CVE-2023-31315 High False Positive SCALE 24.10.0 Link No untrusted code with ring0 access.
libperl5.36 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive SCALE 24.10.0 Link CPAN is not used in a vulnerable way.
sysstat 12.6.1-1 sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33204 High False Positive SCALE 24.10.0 Link sysstat is not used in a vulnerable way.
truenas-sssd 2.9.5-2 A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. CVE-2023-3758 High False Positive SCALE 24.10.0 Link Race condition that requires non-default configuration.
busybox 1:1.35.0-4+b3 An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. CVE-2023-39810 High False Positive SCALE 24.10.0 Link Busybox not used for CPIO
shim-unsigned 15.7-1 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. CVE-2023-40547 High False Positive SCALE 24.10.0 Link Shim not used for http-based booting.
shim-unsigned 15.7-1 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. CVE-2023-40548 High False Positive SCALE 24.10.0 Link 32-bit platform.
sudo 1.9.13p3-1+deb12u1 Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 High Low SCALE 24.10.0 Link Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS.
intel-microcode 3.20240514.1~deb12u1 Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-42667 High Low SCALE 24.10.0 Link Exploit requires local authenticated access and specific Intel CPU
python3-urllib3 1.26.12-1 urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. CVE-2023-43804 High False Positive SCALE 24.10.0 Link Cookies aren't used in the vulenrable fashion in TrueNAS.
nginx 1.22.1-9 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 High Low SCALE 24.10.0 Link Do not expost your TrueNAS HTTP ports to the internet.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45236 High False Positive SCALE 24.10.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45237 High False Positive SCALE 24.10.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
stdlib go1.21.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 High False Positive SCALE 24.10.0 Link Go's stdlib not used for serving HTTP.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 High False Positive SCALE 24.10.0 Link
vim-common 2:9.0.1378-2 Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 High False Positive SCALE 24.10.0 Link
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 High False Positive SCALE 24.10.0 Link
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. CVE-2023-49083 High False Positive SCALE 24.10.0 Link PKCS7 not used internally.
dnsmasq-base 2.89-1 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 High False Positive SCALE 24.10.0 Link dnsmasq not used in a way that this exploit can reach.
python3-cryptography 38.0.4-3 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 High False Positive SCALE 24.10.0 Link Not serving TLS via this code.
p7zip 16.02+dfsg-8 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 High False Positive SCALE 24.10.0 Link p7zip not used internally.
libtiff6 4.5.0-6+deb12u1 An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVE-2023-52355 High False Positive SCALE 24.10.0 Link libtiff not used internally.
libtiff6 4.5.0-6+deb12u1 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 High False Positive SCALE 24.10.0 Link libtiff not used internally.
libexpat1 2.5.0-1 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 High False Positive SCALE 24.10.0 Link Unreachable denial of service.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 High False Positive SCALE 24.10.0 Link
libsqlite3-0 3.40.1-2 A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. CVE-2023-7104 High False Positive SCALE 24.10.0 Link Untrusted code cannot reach sqlite calls.
libpython3.11 3.11.2-6+deb12u2 A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 High Low SCALE 24.10.0 Link No exploits known beyond denial of service.
libnss3 2:3.87.1-1 An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2024-0743 High False Positive SCALE 24.10.0 Link Firefox and Thunderbird not included in TrueNAS.
bind9-dnsutils 1:9.18.24-1 A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-0760 High False Positive SCALE 24.10.0 Link TrueNAS is not serving DNS.
bind9-dnsutils 1:9.18.24-1 Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 High False Positive SCALE 24.10.0 Link TrueNAS is not using bind9 for cachinng results.
bind9-dnsutils 1:9.18.24-1 If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 High False Positive SCALE 24.10.0 Link TrueNAS is not using bind9 to cache results.
vim-common 2:9.0.1378-2 Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 High False Positive SCALE 24.10.0 Link
curl 7.88.1-10+deb12u5 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 High False Positive SCALE 24.10.0 Link TrueNAS does not use libcurl in a vulnerable way.
stdlib go1.21.6 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 High False Positive SCALE 24.10.0 Link TrueNAS does not use ParseAddressList
stdlib go1.21.6 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. CVE-2024-24791 High False Positive SCALE 24.10.0 Link TrueNAS is not using net/http client.
intel-microcode 3.20240514.1~deb12u1 Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-24853 High False Positive SCALE 24.10.0 Link Requires local privileged access.
libxml2 2.9.14+dfsg-1.3~deb12u1 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 High False Positive SCALE 24.10.0 Link TrueNAS is not processing XML from attackers.
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. CVE-2024-26130 High False Positive SCALE 24.10.0 Link TrueNAS does not use cryptography package in a vulnerable way.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. CVE-2024-26461 High Low SCALE 24.10.0 Link Potential memory leak; no security implications
python3-truenas-ipaclient 4.12.1-2 A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule. CVE-2024-2698 High False Positive SCALE 24.10.0 Link This only applies to FreeIPA servers. TrueNAS acts only as a client.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 High False Positive SCALE 24.10.0 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 High False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 High False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
python3-truenas-ipaclient 4.12.1-2 A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password). CVE-2024-3183 High False Positive SCALE 24.10.0 Link
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32004 High False Positive SCALE 24.10.0 Link Git not used with untrusted repositories.
git 1:2.39.2-1.1 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. CVE-2024-32465 High False Positive SCALE 24.10.0 Link Git not used with untrusted repos.
libunbound8 1.17.1-2+deb12u2 The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. CVE-2024-33655 High False Positive SCALE 24.10.0 Link DNS resolution not used in vulnerable fashion.
stdlib go1.21.12 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. CVE-2024-34156 High False Positive SCALE 24.10.0 Link Decode not used.
stdlib go1.21.12 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. CVE-2024-34158 High False Positive SCALE 24.10.0 Link Build time issue.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 High Low SCALE 24.10.0 Link No proof-of-concepts exist at this time.
libpython3.11 3.11.2-6+deb12u2 The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 High False Positive SCALE 24.10.0 Link Address typing not relied upon for security issues.
bind9-dnsutils 1:9.18.24-1 Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 High False Positive SCALE 24.10.0 Link Assertion failure won't cause system issue.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. CVE-2024-4467 High False Positive SCALE 24.10.0 Link Don't use untrusted QEMU images.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 High False Positive SCALE 24.10.0 Link TrueNAS doesn't use libexpat on untrusted XML.
liboath0 2.6.7-3.1 pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. CVE-2024-47191 High False Positive SCALE 24.10.0 Link TrueNAS does not use vulnerable PAM config required for this vulnerability.
libarchive13 3.6.2-1+deb12u1 execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48957 High False Positive SCALE 24.10.0 Link libarchive not used for audio.
libarchive13 3.6.2-1+deb12u1 execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48958 High False Positive SCALE 24.10.0 Link libarchive not used for RAR
libssl3 3.0.13-1~deb12u2 Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 High False Positive SCALE 24.10.0 Link libssl not used for TLS client certificate checking
libpython3.11 3.11.2-6+deb12u2 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 High False Positive SCALE 24.10.0 Link libpython not used with regular expressions in tar file processing.
python3-pkg-resources 66.1.1-1 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 High False Positive SCALE 24.10.0 Link setuptools not used at runtime
qemu-block-extra 1:7.2+dfsg-7+deb12u6 CVE-2024-6519 High False Positive SCALE 24.10.0 Link QEMU not used for LSI HBA emulation.
libnss3 2:3.87.1-1 When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. CVE-2024-6609 High False Positive SCALE 24.10.0 Link Firefox and Thunderbird not available on system.
libgtk-3-0 3.24.38-2~deb12u1 A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. CVE-2024-6655 High False Positive SCALE 24.10.0 Link GTK applications not reachable from TrueNAS internals.
libtiff6 4.5.0-6+deb12u1 A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. CVE-2024-7006 High False Positive SCALE 24.10.0 Link libtiff not exposed to forced memory failures
libnbd0 1.14.2-1 A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. CVE-2024-7383 High False Positive SCALE 24.10.0 Link libnbd not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. CVE-2024-7409 High False Positive SCALE 24.10.0 Link qemu not used in vulnerable fashion
libpython3.11 3.11.2-6+deb12u2 There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 High False Positive SCALE 24.10.0 Link CPython not used in vulnerable fashion.
gitpython 3.1.30 Untrusted search path under some conditions on Windows allows arbitrary code execution GHSA-2mqj-m65w-jghx High False Positive SCALE 24.10.0 Link Windows vulnerability.
pillow 9.4.0 Arbitrary Code Execution in Pillow GHSA-3f63-hfp8-52jq High False Positive SCALE 24.10.0 Link Pillow code not reachable for arbitrary images.
cryptography 38.0.4 Python Cryptography package vulnerable to Bleichenbacher timing oracle attack GHSA-3ww4-gg4f-jr7f High False Positive SCALE 24.10.0 Link Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys.
pillow 9.4.0 Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww High False Positive SCALE 24.10.0 Link Pollow code not reachable for untrusted images.
aiohttp 3.8.5 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests GHSA-5m98-qgg9-wh84 High False Positive SCALE 24.10.0 Link aiohttp not used for arbitrary POST requesrts.
cryptography 38.0.4 cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override GHSA-6vqw-3v5j-54x4 High False Positive SCALE 24.10.0 Link cryptography not called with unmatching certs and keys.
pillow 9.4.0 Pillow Denial of Service vulnerability GHSA-8ghj-p4vj-mr35 High False Positive SCALE 24.10.0 Link Pillow not used for arbitrary image processing.
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 otelgrpc DoS vulnerability due to unbound cardinality metrics GHSA-8pgv-569h-w5rw High False Positive SCALE 24.10.0 Link DoS not reachable in TrueNAS code.
asyncssh 2.13.2 AsyncSSH Rogue Session Attack GHSA-c35q-ffpf-5qpm High False Positive SCALE 24.10.0 Link asyncssh not used in vulnerable fashion
setuptools 66.1.1 setuptools vulnerable to Command Injection via package URL GHSA-cx63-2mw6-8hw5 High False Positive SCALE 24.10.0 Link setuptools not used for untrusted packages.
pycryptodomex 3.11.0 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption GHSA-j225-cvw7-qrx7 High False Positive SCALE 24.10.0 Link OAEP decrytption not used internally in TrueNAS.
pillow 9.4.0 libwebp: OOB write in BuildHuffmanTable GHSA-j7hp-h8jx-5ppr High False Positive SCALE 24.10.0 Link Pillow not used for untrusted image processing.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability in the command line interface GHSA-jrwr-5x3p-hvc3 High False Positive SCALE 24.10.0 Link markdown not used in vulnerable fashion.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability GHSA-vrjv-mxr7-vjf8 High False Positive SCALE 24.10.0 Link markdown not used in vulnerable fashion.
gitpython 3.1.30 GitPython untrusted search path on Windows systems leading to arbitrary code execution GHSA-wfm5-v35h-vwf4 High False Positive SCALE 24.10.0 Link Windows vulnerability.
cryptography 38.0.4 Vulnerable OpenSSL included in cryptography wheels GHSA-x4qr-2fvf-3mr5 High False Positive SCALE 24.10.0 Link Not building from from supplied wheels.
certifi 2022.9.24 Removal of e-Tugra root certificate GHSA-xqr8-7jwr-rhp7 High False Positive SCALE 24.10.0 Link External certificate issue.
stdlib go1.21.6 When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. CVE-2023-45289 Unknown False Positive SCALE 24.10.0 Link Product does not follow HTTP redirects.
stdlib go1.21.6 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. CVE-2023-45290 Unknown False Positive SCALE 24.10.0 Link Go stdlib not used for form processing.
libncurses6 6.4-4 ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. CVE-2023-45918 Unknown False Positive SCALE 24.10.0 Link ncurses not used for basic operations.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. CVE-2023-46841 Unknown False Positive SCALE 24.10.0 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Unknown False Positive SCALE 24.10.0 Link Don't run untrusted guests.
dnsmasq-base 2.89-1 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 Unknown False Positive SCALE 24.10.0 Link dnsmasq not used for DNSSEC in TrueNAS
libnss3 2:3.87.1-1 NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Unknown False Positive SCALE 24.10.0 Link Firefox and Thunderbird not available in TrueNAS.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. CVE-2024-2193 Unknown False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 CVE-2024-2201 Unknown False Positive SCALE 24.10.0 Link DO not run untrusted guest VMs.
stdlib go1.21.6 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. CVE-2024-24783 Unknown False Positive SCALE 24.10.0 Link Go stdlib not used for certificate verification.
stdlib go1.21.6 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. CVE-2024-24785 Unknown False Positive SCALE 24.10.0 Link go stdlib not used to parse untrusted JSON
libssl3 3.0.13-1~deb12u2 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 Unknown False Positive SCALE 24.10.0 Link Requires non-default TLS server config.
iperf3 3.12-1+deb12u1 iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. CVE-2024-26306 Unknown False Positive SCALE 24.10.0 Link iperf3 server not used.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26458 Unknown False Positive SCALE 24.10.0 Link Memory leak
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. CVE-2024-26462 Unknown False Positive SCALE 24.10.0 Link Memory leak.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 Unknown False Positive SCALE 24.10.0 Link Do not run untrusted guest VMs.
libclang-cpp14 1:14.0.6-12 LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production." CVE-2024-31852 Unknown False Positive SCALE 24.10.0 Link ARM cpu only.
stdlib go1.21.12 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. CVE-2024-34155 Unknown False Positive SCALE 24.10.0 Link Build-time problem only.
libopenipmi0 2.0.33-1+b1 OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution. CVE-2024-42934 Unknown False Positive SCALE 24.10.0 Link Simulator not used.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 Unknown False Positive SCALE 24.10.0 Link Do not run untrusted VM guests in TrueNAS.
libssl3 3.0.13-1~deb12u2 CVE-2024-4741 Unknown False Positive SCALE 24.10.0 Link Vulnerable code not used in TrueNAS
qemu-block-extra 1:7.2+dfsg-7+deb12u6 CVE-2024-7730 Unknown False Positive SCALE 24.10.0 Link Do not run untrusted VM guests.
libpython3.11 3.11.2-6+deb12u2 There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. CVE-2024-8088 Unknown False Positive SCALE 24.10.0 Link zipfile code not used to parse untrusted zip files.
libssl3 3.0.13-1~deb12u2 Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-9143 Unknown False Positive SCALE 24.10.0 Link libssl not used for explicit EC curves.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 critical False Positive SCALE 24.10.2 Link TrueNAS does not make use of busybox in a way that can be reached by this exploit.
zlib1g 1:1.2.13.dfsg-1 MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. CVE-2023-45853 critical False Positive SCALE 24.10.2 Link TrueNAS doesn't use MiniZip in an exploitable way.
rsync 3.2.7-1 A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. CVE-2024-12084 critical False Positive SCALE 24.10.2 Link rsync is not used in daemon mode within TrueNAS SCALE.
stdlib go1.21.6 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 critical False Positive SCALE 24.10.2 Link TrueNAS doesn't use Go's stdlib for IPv6 IP address checks.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32002 critical False Positive SCALE 24.10.2 Link TrueNAS doesn't use git internally in an exploitable way for this vulnerability.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 critical False Positive SCALE 24.10.2 Link TrueNAS isn't acting as a kerberos server.
wget 1.21.3-1+b2 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 critical False Positive SCALE 24.10.2 Link wget is not used on untrusted URLs.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 critical False Positive SCALE 24.10.2 Link Not a 32-bit platform.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 critical False Positive SCALE 24.10.2 Link Not a 32-bit platform.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. CVE-2024-47538 critical False Positive SCALE 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10. CVE-2024-47600 critical False Positive SCALE 24.10.2 Link Qemu dependency.
libgstreamer1.0-0 1.22.0-2 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47606 critical False Positive SCALE 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10. CVE-2024-47607 critical False Positive SCALE 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. CVE-2024-47615 critical False Positive SCALE 24.10.2 Link Qemu dependency.
libglib2.0-0 2.74.6-2+deb12u3 gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. CVE-2024-52533 critical False Positive SCALE 24.10.2 Link SOCKS4 not being used.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 critical False Positive SCALE 24.10.2 Link TrueNAS doesn't use NPN. FIPS is not affected.
libnss3 2:3.87.1-1 A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. CVE-2024-6602 critical False Positive SCALE 24.10.2 Link Firefox and Thunderbird not present.
pillow 9.4.0 Arbitrary Code Execution in Pillow GHSA-3f63-hfp8-52jq critical False Positive SCALE 24.10.2 Link Pillow code not reachable for arbitrary images.
gitpython 3.1.30 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments GHSA-pr76-5cm5-w9cj critical False Positive SCALE 24.10.2 Link TrueNAS doesn't use GitPython with untrusted git repos.
github.com/docker/docker v27.0.3+incompatible Authz zero length regression GHSA-v23v-6jw2-98fq critical False Positive SCALE 24.10.2 Link Do not run untrusted applications on your TrueNAS system.
golang.org/x/crypto v0.17.0 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto GHSA-v778-237x-gjrc critical False Positive SCALE 24.10.2 Link Functions not in use.
python3-rsa 4.8-1 It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. CVE-2020-25658 high False Positive SCALE 24.10.2 Link Python-rsa not in use.
libopenjp2-7 2.5.0-2 A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. CVE-2021-3575 high False Positive SCALE 24.10.2 Link TrueNAS does not use libopenjp for processing untrusted images.
firmware-amd-graphics 20240709-2~bpo12+1 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-27635 high False Positive SCALE 24.10.2 Link Wifi not used.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVE-2022-3872 high False Positive SCALE 24.10.2 Link Do not run untrusted guest VMs.
firmware-amd-graphics 20240709-2~bpo12+1 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-40964 high False Positive SCALE 24.10.2 Link Wifi not used.
firmware-amd-graphics 20240709-2~bpo12+1 Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-46329 high False Positive SCALE 24.10.2 Link Wifi not used.
libgfapi0 10.3-5 In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. CVE-2022-48340 high False Positive SCALE 24.10.2 Link Gluster FS not used internally.
libxml2 2.9.14+dfsg-1.3~deb12u1 xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CVE-2022-49043 high False Positive SCALE 24.10.2 Link Qemu dependency.
libharfbuzz0b 6.0.0+dfsg-3 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 high False Positive SCALE 24.10.2 Link TrueNAS is not using harfbuzz to display attacker chosen strings.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 high False Positive SCALE 24.10.2 Link TrueNAS doesn't run git apply internally.
vim-common 2:9.0.1378-2 Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 high False Positive SCALE 24.10.2 Link Only vulnerable if untrusted file is run in script mode.
dnsmasq-base 2.89-1 An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. CVE-2023-28450 high False Positive SCALE 24.10.2 Link dnsmasq is not used in a vulnerable way.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 high False Positive SCALE 24.10.2 Link TrueNAS does not use git on untrusted repos.
python3-dnspython 2.3.0-1 eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. CVE-2023-29483 high False Positive SCALE 24.10.2 Link TrueNAS does not use dnspython for arbitrary DNS resolution
libldap-2.5-0 2.5.13+dfsg-5 A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 high Low SCALE 24.10.2 Link iX considers risk to be low. There are no known exploits of this null pointer bug.
amd64-microcode 3.20230808.1.1~deb12u1 Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. CVE-2023-31315 high False Positive SCALE 24.10.2 Link No untrusted code with ring0 access.
libperl5.36 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 high False Positive SCALE 24.10.2 Link CPAN is not used in a vulnerable way.
sysstat 12.6.1-1 sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33204 high False Positive SCALE 24.10.2 Link sysstat is not used in a vulnerable way.
truenas-sssd 2.9.5-2 A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. CVE-2023-3758 high False Positive SCALE 24.10.2 Link Race condition that requires non-default configuration.
busybox 1:1.35.0-4+b3 An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. CVE-2023-39810 high False Positive SCALE 24.10.2 Link Busybox not used for CPIO
shim-unsigned 15.7-1 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. CVE-2023-40547 high False Positive SCALE 24.10.2 Link Shim not used for http-based booting.
shim-unsigned 15.7-1 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. CVE-2023-40548 high False Positive SCALE 24.10.2 Link 32-bit platform.
sudo 1.9.13p3-1+deb12u1 Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 high Low SCALE 24.10.2 Link Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS.
intel-microcode 3.20240514.1~deb12u1 Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-42667 high Low SCALE 24.10.2 Link Exploit requires local authenticated access and specific Intel CPU
nginx 1.22.1-9 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 high Low SCALE 24.10.2 Link Do not expost your TrueNAS HTTP ports to the internet.
stdlib go1.21.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 high False Positive SCALE 24.10.2 Link Go's stdlib not used for serving HTTP.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 high False Positive SCALE 24.10.2 Link Requires obscure vim use. No known exploit.
vim-common 2:9.0.1378-2 Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 high False Positive SCALE 24.10.2 Link Requires vim use; no escalation
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 high False Positive SCALE 24.10.2 Link Requires vim use; no escalation
dnsmasq-base 2.89-1 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 high False Positive SCALE 24.10.2 Link dnsmasq not used in a way that this exploit can reach.
python3-cryptography 38.0.4-3 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 high False Positive SCALE 24.10.2 Link Not serving TLS via this code.
p7zip 16.02+dfsg-8 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 high False Positive SCALE 24.10.2 Link p7zip not used internally.
libtiff6 4.5.0-6+deb12u1 An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVE-2023-52355 high False Positive SCALE 24.10.2 Link libtiff not used internally.
libtiff6 4.5.0-6+deb12u1 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 high False Positive SCALE 24.10.2 Link libtiff not used internally.
libexpat1 2.5.0-1 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 high False Positive SCALE 24.10.2 Link Unreachable denial of service.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 high False Positive SCALE 24.10.2 Link Requires vim use; no escalation
libnss3 2:3.87.1-1 An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2024-0743 high False Positive SCALE 24.10.2 Link Firefox and Thunderbird not included in TrueNAS.
bind9-dnsutils 1:9.18.24-1 A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-0760 high False Positive SCALE 24.10.2 Link TrueNAS is not serving DNS.
rsync 3.2.7-1 A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. CVE-2024-12085 high False Positive SCALE 24.10.2 Link Rsync not used in daemon mode.
bind9-dnsutils 1:9.18.24-1 Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 high False Positive SCALE 24.10.2 Link TrueNAS is not using bind9 for cachinng results.
bind9-dnsutils 1:9.18.24-1 If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 high False Positive SCALE 24.10.2 Link TrueNAS is not using bind9 to cache results.
libarchive13 3.6.2-1+deb12u1 Windows libarchive Remote Code Execution Vulnerability CVE-2024-20696 high False Positive SCALE 24.10.2 Link No windows involvement.
intel-microcode 3.20240514.1~deb12u1 Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-21820 high False Positive SCALE 24.10.2 Link Requires privileged access.
vim-common 2:9.0.1378-2 Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 high False Positive SCALE 24.10.2 Link Requires vim use; no escalation
intel-microcode 3.20240514.1~deb12u1 Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-23918 high False Positive SCALE 24.10.2 Link Requires privileged access.
curl 7.88.1-10+deb12u5 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 high False Positive SCALE 24.10.2 Link TrueNAS does not use libcurl in a vulnerable way.
stdlib go1.21.6 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 high False Positive SCALE 24.10.2 Link TrueNAS does not use ParseAddressList
stdlib go1.21.6 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. CVE-2024-24791 high False Positive SCALE 24.10.2 Link TrueNAS is not using net/http client.
intel-microcode 3.20240514.1~deb12u1 Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-24853 high False Positive SCALE 24.10.2 Link Requires local privileged access.
libxml2 2.9.14+dfsg-1.3~deb12u1 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 high False Positive SCALE 24.10.2 Link TrueNAS is not processing XML from attackers.
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. CVE-2024-26130 high False Positive SCALE 24.10.2 Link TrueNAS does not use cryptography package in a vulnerable way.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 high False Positive SCALE 24.10.2 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 high False Positive SCALE 24.10.2 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 high False Positive SCALE 24.10.2 Link Do not run untrusted guest VMs.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32004 high False Positive SCALE 24.10.2 Link Git not used with untrusted repositories.
git 1:2.39.2-1.1 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. CVE-2024-32465 high False Positive SCALE 24.10.2 Link Git not used with untrusted repos.
libunbound8 1.17.1-2+deb12u2 The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. CVE-2024-33655 high False Positive SCALE 24.10.2 Link DNS resolution not used in vulnerable fashion.
stdlib go1.21.12 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. CVE-2024-34156 high False Positive SCALE 24.10.2 Link Decode not used.
stdlib go1.21.12 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. CVE-2024-34158 high False Positive SCALE 24.10.2 Link Build time issue.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 high Low SCALE 24.10.2 Link No proof-of-concepts exist at this time.
bind9-dnsutils 1:9.18.24-1 Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 high False Positive SCALE 24.10.2 Link Assertion failure won't cause system issue.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. CVE-2024-4467 high False Positive SCALE 24.10.2 Link Don't use untrusted QEMU images.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 high False Positive SCALE 24.10.2 Link TrueNAS doesn't use libexpat on untrusted XML.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 high False Positive SCALE 24.10.2 Link Do not run untrusted VM guests in TrueNAS.
liboath0 2.6.7-3.1 pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. CVE-2024-47191 high False Positive SCALE 24.10.2 Link TrueNAS does not use vulnerable PAM config required for this vulnerability.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-4741 high False Positive SCALE 24.10.2 Link Vulnerable code not used in TrueNAS
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. CVE-2024-47541 high False Positive SCALE 24.10.2 Link Library not used in vulnerable specific configuration.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47542 high False Positive SCALE 24.10.2 Link Library not used in vulnerable specific configuration.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10. CVE-2024-47835 high False Positive SCALE 24.10.2 Link Library not used in vulnerable specific configuration.
proftpd-core 1.3.8+dfsg-4+deb12u3 In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. CVE-2024-48651 high False Positive SCALE 24.10.2 Link proftpd not used with mod_sql
iperf3 3.12-1+deb12u1 iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. CVE-2024-53580 high False Positive SCALE 24.10.2 Link Requires iperf use; no escalation
python3-jinja2 3.1.2-1 Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5. CVE-2024-56201 high False Positive SCALE 24.10.2 Link Requires attacker control of template
python3-jinja2 3.1.2-1 Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. CVE-2024-56326 high False Positive SCALE 24.10.2 Link Requires attacker control of template
grub-common 2.99-9 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. CVE-2024-56737 high False Positive SCALE 24.10.2 Link Requires HFS use
libssl3 3.0.13-1~deb12u2 Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 high False Positive SCALE 24.10.2 Link libssl not used for TLS client certificate checking
python3-pkg-resources 66.1.1-1 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 high False Positive SCALE 24.10.2 Link setuptools not used at runtime
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. CVE-2024-6519 high False Positive SCALE 24.10.2 Link QEMU not used for LSI HBA emulation.
libnss3 2:3.87.1-1 When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. CVE-2024-6609 high False Positive SCALE 24.10.2 Link Firefox and Thunderbird not available on system.
libgtk-3-0 3.24.38-2~deb12u1 A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. CVE-2024-6655 high False Positive SCALE 24.10.2 Link GTK applications not reachable from TrueNAS internals.
libtiff6 4.5.0-6+deb12u1 A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. CVE-2024-7006 high False Positive SCALE 24.10.2 Link libtiff not exposed to forced memory failures
libnbd0 1.14.2-1 A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. CVE-2024-7383 high False Positive SCALE 24.10.2 Link libnbd not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. CVE-2024-7409 high False Positive SCALE 24.10.2 Link qemu not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. CVE-2024-7730 high False Positive SCALE 24.10.2 Link Do not run untrusted VM guests.
gitpython 3.1.30 Untrusted search path under some conditions on Windows allows arbitrary code execution GHSA-2mqj-m65w-jghx high False Positive SCALE 24.10.2 Link Windows vulnerability.
cryptography 38.0.4 Python Cryptography package vulnerable to Bleichenbacher timing oracle attack GHSA-3ww4-gg4f-jr7f high False Positive SCALE 24.10.2 Link Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys.
pillow 9.4.0 Pillow buffer overflow vulnerability GHSA-44wm-f244-xhp3 high False Positive SCALE 24.10.2 Link Pillow not installed.
pillow 9.4.0 Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww high False Positive SCALE 24.10.2 Link Pollow code not reachable for untrusted images.
aiohttp 3.8.5 aiohttp is vulnerable to directory traversal GHSA-5h86-8mv2-jq9f high False Positive SCALE 24.10.2 Link aiohttp not used in vulnerable fashion
aiohttp 3.8.5 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests GHSA-5m98-qgg9-wh84 high False Positive SCALE 24.10.2 Link aiohttp not used for arbitrary POST requesrts.
cryptography 38.0.4 cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override GHSA-6vqw-3v5j-54x4 high False Positive SCALE 24.10.2 Link cryptography not called with unmatching certs and keys.
pillow 9.4.0 Pillow Denial of Service vulnerability GHSA-8ghj-p4vj-mr35 high False Positive SCALE 24.10.2 Link Pillow not used for arbitrary image processing.
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 otelgrpc DoS vulnerability due to unbound cardinality metrics GHSA-8pgv-569h-w5rw high False Positive SCALE 24.10.2 Link DoS not reachable in TrueNAS code.
asyncssh 2.13.2 AsyncSSH Rogue Session Attack GHSA-c35q-ffpf-5qpm high False Positive SCALE 24.10.2 Link asyncssh not used in vulnerable fashion
setuptools 66.1.1 setuptools vulnerable to Command Injection via package URL GHSA-cx63-2mw6-8hw5 high False Positive SCALE 24.10.2 Link setuptools not used for untrusted packages.
pycryptodomex 3.11.0 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption GHSA-j225-cvw7-qrx7 high False Positive SCALE 24.10.2 Link OAEP decrytption not used internally in TrueNAS.
pillow 9.4.0 libwebp: OOB write in BuildHuffmanTable GHSA-j7hp-h8jx-5ppr high False Positive SCALE 24.10.2 Link Pillow not used for untrusted image processing.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability in the command line interface GHSA-jrwr-5x3p-hvc3 high False Positive SCALE 24.10.2 Link markdown not used in vulnerable fashion.
urllib3 1.26.12 `Cookie` HTTP header isn't stripped on cross-origin redirects GHSA-v845-jxx5-vc9f high False Positive SCALE 24.10.2 Link urllib not used in vulnerable fashion
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability GHSA-vrjv-mxr7-vjf8 high False Positive SCALE 24.10.2 Link markdown not used in vulnerable fashion.
golang.org/x/net v0.17.0 Non-linear parsing of case-insensitive content in golang.org/x/net/html GHSA-w32m-9786-jp63 high False Positive SCALE 24.10.2 Link Library not used in vulnerable fashion
gitpython 3.1.30 GitPython untrusted search path on Windows systems leading to arbitrary code execution GHSA-wfm5-v35h-vwf4 high False Positive SCALE 24.10.2 Link Windows vulnerability.
cryptography 38.0.4 Vulnerable OpenSSL included in cryptography wheels GHSA-x4qr-2fvf-3mr5 high False Positive SCALE 24.10.2 Link Not building from from supplied wheels.
certifi 2022.9.24 Removal of e-Tugra root certificate GHSA-xqr8-7jwr-rhp7 high False Positive SCALE 24.10.2 Link External certificate issue.
dnsmasq-base 2.89-1 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 unknown False Positive SCALE 24.10.2 Link dnsmasq not used for DNSSEC in TrueNAS
stdlib go1.21.6 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. CVE-2024-24785 unknown False Positive SCALE 24.10.2 Link go stdlib not used to parse untrusted JSON
libssl3 3.0.13-1~deb12u2 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 unknown False Positive SCALE 24.10.2 Link Requires non-default TLS server config.
iperf3 3.12-1+deb12u1 iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. CVE-2024-26306 unknown False Positive SCALE 24.10.2 Link iperf3 server not used.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. CVE-2024-26462 unknown False Positive SCALE 24.10.2 Link Memory leak.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 unknown False Positive SCALE 24.10.2 Link Do not run untrusted guest VMs.
librados2 16.2.11+ds-2 CVE-2024-48916 unknown False Positive SCALE 24.10.2 Link Qemu dependency
grub-common 2.99-9 grub2 allowed attackers with access to the grub shell to access files on the encrypted disks. CVE-2024-49504 unknown False Positive SCALE 24.10.2 Link Grub shell not accessible
git 1:2.39.2-1.1 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-50349 unknown False Positive SCALE 24.10.2 Link Git not used in vulnerable fashion
git 1:2.39.2-1.1 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-52006 unknown False Positive SCALE 24.10.2 Link Git not used in vulnerable fashion
rclone 1.67.1 Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2. CVE-2024-52522 unknown False Positive SCALE 24.10.2 Link rclone not used with --links and --metadata options
libc-bin 2.36-9+deb12u7 When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. CVE-2025-0395 unknown False Positive SCALE 24.10.2 Link Unsafe assert messages not being used.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
TrueNAS Core Logo
TrueNAS
CORETM | EnterpriseTM
Security TrueNAS SCALE Logo
TrueNAS
CommunityTM | EnterpriseTM
Security TrueCommand Logo
TrueCommand®
Security TrueNAS Enterprise Logo
TrueNAS® | Enterprise
Hardware Solutions
Security